Cryptography
Total Page:16
File Type:pdf, Size:1020Kb
Cryptography Lecture Notes from CS276, Spring 2009 Luca Trevisan Stanford University Foreword These are scribed notes from a graduate course on Cryptography offered at the University of California, Berkeley, in the Spring of 2009. The notes have been only minimally edited, and there may be several errors and imprecisions. We use a definition of security against a chosen cyphertext attack (CCA-security) that is weaker than the standard one, and that allows attacks that are forbidden by the standard definition. The weaker definition that we use here, however, is much easier to define and reason about. I wish to thank the students who attended this course for their enthusiasm and hard work. Thanks to Anand Bhaskar, Siu-Man Chan, Siu-On Chan, Alexandra Constantin, James Cook, Anindya De, Milosh Drezgich, Matt Finifter, Ian Haken, Steve Hanna, Nick Jalbert, Manohar Jonnalagedda, Mark Landry, Anupam Prakash, Bharath Ramsundar, Jonah Sher- man, Cynthia Sturton, Madhur Tulsiani, Guoming Wang, and Joel Weinberger for scribing some of the notes. While offering this course and writing these notes, I was supported by the National Science Foundation, under grant CCF 0729137. Any opinions, findings and conclusions or recom- mendations expressed in these notes are my own and do not necessarily reflect the views of the National Science Foundation. San Francisco, May 19, 2011. Luca Trevisan c 2011 by Luca Trevisan This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/ licenses/by-nc-nd/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. i ii Contents Foreword i 1 Introduction1 1.1 Alice, Bob, Eve, and the others.........................2 1.2 The Pre-history of Encryption..........................2 1.3 Perfect Security and One-Time Pad......................5 2 Notions of Security7 2.1 Semantic Security.................................7 2.2 Security for Multiple Encryptions: Plain Version............... 12 2.3 Security against Chosen Plaintext Attack................... 13 3 Pseudorandom Generators 15 3.1 Pseudorandom Generators And One-Time Encryption............ 15 3.2 Description of RC4................................ 18 4 Encryption Using Pseudorandom Functions 21 4.1 Pseudorandom Functions............................ 21 4.2 Encryption Using Pseudorandom Functions.................. 22 4.3 The Randomized Counter Mode........................ 24 5 Encryption Using Pseudorandom Permutations 27 5.1 Pseudorandom Permutations.......................... 27 5.1.1 Some Motivation............................. 27 5.1.2 Definition................................. 27 5.2 The AES Pseudorandom Permutation..................... 28 5.3 Encryption Using Pseudorandom Permutations................ 29 iii iv CONTENTS 5.3.1 ECB Mode................................ 29 5.3.2 CBC Mode................................ 29 6 Authentication 31 6.1 Message Authentication............................. 31 6.2 Construction for Short Messages........................ 32 6.3 Construction for Messages of Arbitrary Length................ 33 7 CCA-Secure Encryption 37 7.1 CBC-MAC.................................... 37 7.2 Combining MAC and Encryption........................ 38 8 Collision-Resistant Hash Functions 43 8.1 Combining Encryption and Authentication.................. 43 8.1.1 Encrypt-Then-Authenticate....................... 43 8.1.2 Encrypt-And-Authenticate....................... 44 8.1.3 Authenticate-Then-Encrypt....................... 44 8.2 Cryptographic Hash Functions......................... 45 8.2.1 Definition and Birthday Attack..................... 45 8.2.2 The Merkle-Damg˚ardTransform.................... 47 8.3 Hash Functions and Authentication....................... 49 9 One-Way Functions and Hardcore Predicates 51 9.1 One-way Functions and One-way Permutations................ 52 9.2 A Preview of What is Ahead.......................... 53 9.3 Hard-Core Predicate............................... 54 9.4 The Goldreich-Levin Theorem.......................... 54 9.5 The Goldreich-Levin Algorithm......................... 59 9.6 References..................................... 62 10 PRGs from One-Way Permutations 63 10.1 Pseudorandom Generators from One-Way Permutations........... 63 11 Pseudorandom Functions from PRGs 69 11.1 Pseudorandom generators evaluated on independent seeds.......... 69 CONTENTS v 11.2 Construction of Pseudorandom Functions................... 70 11.2.1 Considering a tree of small depth.................... 71 11.2.2 Proving the security of the GGM construction............ 72 12 Pseudorandom Permutations from PRFs 75 12.1 Pseudorandom Permutations.......................... 75 12.2 Feistel Permutations............................... 76 12.3 The Luby-Rackoff Construction......................... 77 12.4 Analysis of the Luby-Rackoff Construction................... 78 13 Public-key Encryption 85 13.1 Public-Key Cryptography............................ 85 13.2 Public Key Encryption.............................. 86 13.3 Definitions of Security.............................. 87 13.4 The Decision Diffie-Hellman Assumption.................... 88 13.5 Decision Diffie Hellman and Quadratic Residues............... 89 13.6 El Gamal Encryption............................... 91 14 CPA-secure Public-Key Encryption 93 14.1 Hybrid Encryption................................ 93 14.2 RSA........................................ 95 14.3 Trapdoor Permutations and Encryption.................... 96 15 Signature Schemes 99 15.1 Signature Schemes................................ 99 15.2 One-Time Signatures and Key Refreshing................... 101 15.3 From One-Time Signatures to Fully Secure Signatures............ 104 16 Signature Schemes in the Random Oracle Model 109 16.1 The Hash-and-Sign Scheme........................... 109 16.2 Analysis...................................... 110 17 CCA Security with a Random Oracle 113 17.1 Hybrid Encryption with a Random Oracle................... 113 17.2 Security Analysis................................. 114 vi CONTENTS 18 Zero Knowledge Proofs 119 18.1 Intuition...................................... 119 18.2 The Graph Non-Isomorphism Protocol..................... 120 18.3 The Graph Isomorphism Protocol........................ 122 18.4 A Simulator for the Graph Isomorphism Protocol............... 125 19 Zero Knowledge Proofs of Quadratic Residuosity 129 19.1 The Quadratic Residuosity Problem...................... 129 19.2 The Quadratic Residuosity Protocol...................... 131 20 Proofs of Knowledge and Commitment Schemes 133 20.1 Proofs of Knowledge............................... 133 20.2 Uses of Zero Knowledge proofs......................... 134 20.3 Commitment Scheme............................... 135 21 Zero Knowledge Proofs of 3-Colorability 139 21.1 A Protocol for 3-Coloring............................ 139 21.2 Simulability.................................... 140 21.3 Computational Zero Knowledge......................... 142 21.4 Proving that the Simulation is Indistinguishable............... 142 Lecture 1 Introduction This course assumes CS170, or equivalent, as a prerequisite. We will assume that the reader is familiar with the notions of algorithm and running time, as well as with basic notions of algebra (for example arithmetic in finite fields), discrete math and probability. General information about the class, including prerequisites, grading, and recommended references, are available on the class home page. Cryptography is the mathematical foundation on which one builds secure systems. It studies ways of securely storing, transmitting, and processing information. Understanding what cryptographic primitives can do, and how they can be composed together, is necessary to build secure systems, but not sufficient. Several additional considerations go into the design of secure systems, and they are covered in various Berkeley graduate courses on security. In this course we will see a number of rigorous definitions of security, some of them requiring seemingly outlandish safety, even against entirely implausible attacks, and we shall see how if any cryptography at all is possible, then it is also possible to satisfy such extremely strong notions of security. For example, we shall look at a notion of security for encryption in which an adversary should not be able to learn any information about a message given the ciphertext, even if the adversary is allowed to get encodings of any messages of his choice, and decodings of any ciphertexts of his choices, with the only exception of the one he is trying to decode. We shall also see extremely powerful (but also surprisingly simple and elegant) ways to define security for protocols involving several untrusted participants. Learning to think rigorously about security, and seeing what kind of strength is possible, at least in principle, is one of the main goals of this course. We will also see a number of constructions, some interesting for the general point they make (that certain weak primitives are sufficient to make very strong constructions), some efficient enough to have made their way in commercial products. 1 2 LECTURE 1. INTRODUCTION 1.1 Alice, Bob, Eve, and the others Most of this class will be devoted to the following simplified setting: Alice and Bob com- municate over an insecure channel, such as the internet or a cell phone. An eavesdropper, Eve, is able to see the whole communication and to inject her own messages in the